Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

Configuring Multiple SAML configs in Publisher (audienceRestrictions violated error)

Antony6790
Level 2
Level 2

HI all,

 

We are configuring 2 SAML configs for 2 sites in publisher. One SAML config is for SiteMinder and other SAML config is for Ping Identity.

 

In each config, I have added content paths for each site, same ranking, updated IDP url's (SM and Ping IDP Url's) with separate Entity ID's, default redirect paths and ACS URL( ex: https://abc.com/saml_login, https://xyz.com/saml_login). 

 

SSO is not working for 1 site (goes infinite loop) if both SAML configs are enabled. I'm seeing below error in SAML trace. However if I disable one SAML config, then no issues with SSO login.

 

26.03.2021 04:08:37.400 *DEBUG* [qtp1786311869-8128] com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
26.03.2021 04:08:37.400 *INFO* [qtp1786311869-8128] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

 

Any inputs to resolve this issue with multiple SAML configs?

 

Thanks.

 

1 Accepted Solution
Rohit_Utreja
Correct answer by
Level 4
Level 4
5 Replies
Rohit_Utreja
Correct answer by
Level 4
Level 4
jbrar
Employee
Employee

The issue seems to be with the Path and Assertion consumer URL:

 

if path: "/content/sitea" then //content/sitea/saml_login should be the ACS endpoint.

If the path: "/content/siteb" then /content/siteb/saml_login should be the ACS endpoint.

Antony6790
Level 2
Level 2

Tried by with paths in ACS URL, but we are seeing infinite redirects with a 404 error for /content/siteA path ..

 

We have dispatcher rules for the site, if a request comes with /content/siteA path, it should translates this to /content/siteA/homepage.html. Not sure whether any dispatcher rules causing this infinite loop.

 

Thanks

Antony

visa679
Level 2
Level 2

Issue resolved by providing host name (https://abc.com/) in the path field instead of content path.

Thanks.

kautuk_sahni
Community Manager
Community Manager
@visa679, Thank you for sharing the solution/fix with community. Great to have phenomenal SMEs like you. Looking forward to your more contribution in the AEM Community.